Find all files recursively by a certain date

Question

My site is compromised by an FTP brute attack and the cracker modified / created some files in my home directory.

Let's say the date of the malicious creation / modification is 2011-4-5 21:38:09. How can I find other files in public_html that is modified / created around that time?

Tried to search via Google but nothing helpful found. Can you please give me some examples? Like ls or find? Thanks!

Answer 1

You can:

touch -m -t 201104052138.08 /tmp/timestamp

find /dir -newer /tmp/timestamp

The initial touch creates a file with an mtime of one second before your required timestamp, and the find then uses that to find files modified (in terms of content) after that time.

You will also want to check permissions and group ownership. You can't use the above technique to do that, since touch can only change the atime and the mtime. So, you're better off determining what the correct permissions are, and just resetting them. For example, if typically your web files are owned by root with group www-pub, and have permissions 0755 for directories and 0644 for files, you can use

find /dir \! -user root 

to find files and directories not owned by root and

find /dir \! -group www-pub 

to find files and directories not owned by www-pub

the -perm flag to find can be used to find files based on permissions, too, but you're better off just setting things to what they should be.

find /dir -exec chown root:www-pub {} \;
find /dir -type f -exec chmod 0644 {} \;
find /dir -type d -exec chmod 0755 {} \;

Answer 2

Use find

# find /home -ctime -2

That means "find files on /home that changed on last 48 hours". The 2 is multiplied by 24 hours so if you need 72 hours you use 3, and so on. If you need to find the files that changed at MORE than X days, use + instead of -.

You want to probably list the files so:

# find /home -ctime -2 -exec ls -l {} \;

Remember that ctime includes files created or changed in the last X hours.

Answer 3

find /dir -newerma "2011-xx-xx"

or you can look here

Answer 4

You can use the switch mtime to accomplish this task.

Answer 5

To find files on/around a specific date (as opposed to since a certain date) you will need to write a custom script. There are two options for this:

• A script which finds the files
• A script which tests a single file that you can embed into a find command

The first one is definitely more efficient. A very crude perl example would be:

#!/usr/bin/perl
use strict;
use warnings;

use POSIX();
use File::Find();

sub usage() { die "usage: finddate yyyy-mm-ddThh:mm:ss marginsecs dirs..." }

my( $mindate, $maxdate );
sub checkdate()
{
    my @data = stat($_);
    foreach my $idx ( 9, 10 ) # mtime and ctime
    {
        if( $data[$idx] >= $mindate && $data[$idx] <= $maxdate )
        {
            print "$File::Find::name\n";
            last;
        }
    }
}

# Main Program
{
    my $dtxt = shift(@ARGV);
    my $margin = shift(@ARGV);
    my $date;
    if( $dtxt =~ /^(\d{4})-(\d\d)-(\d\d)T(\d\d):(\d\d):(\d\d)$/ )
    {
        $date = POSIX::mktime( $6, $5, $4, $3, $2-1, $1-1900 );
    }
    else
    {
        usage();
    }
    $mindate = $date - $margin;
    $maxdate = $date + $margin;
    File::Find::find( \&checkdate, @ARGV );
}

Sample usage:

finddate.pl 2011-03-02T01:40:00 600 .

The single file test pretty much the same thing except:

• it takes a single file instead of a list of directory arguments
• The checkdate function takes a filename parameter instead of using $_
• The checkdate function will return 1 if the check passes or 0 otherwise
• The last line is now exit( !checkdate(@ARGV) );

You can then use this in a normal find command like

find dir -exec finddate.pl 2011-03-02T01:40:00 600 {} \; -print